According to researchers at Cylance, a security startup, a vast number of western organizations have been breached by hackers operating out of Iran. Cylance has designated this group of hackers: Operation Cleaver. Cylance has been tracking this group for over two years. Cylance recently released a report on the group earlier than they intended. As for the rationale behind the early release, the company stated:

Iran’s rising expertise, along with their choice of victims, has compelled us to release this report sooner than we would have liked in order to expose Operation Cleaver to the world.

Airports and airlines are amongst the list of targets and victims of Operation Cleaver, which according to the report is “[p]erhaps the most bone-chilling evidence we collected in this campaign.” According to the report, both physical and cyber assets, as well as logistics information, were compromised at major airline operators, airports, and transportation companies.

[T]heir entire remote access infrastructure and supply chain was under the control of the Cleaver team. . . . They achieved complete access to airport gates and their security control systems. . . . There is a possibility that this campaign could affect airline passenger safety.

According to the report, Iran is extremely active in the world of hacking. While Cylance admits in the report that attribution is difficult, they state that the infrastructure utilized in the Operation Cleaver campaign is too significant to be a lone individual or a small group. Additionally, some crucial details led Cylance to link the Cleaver attacks specifically to Iran. Infrastructure used by the attackers was registered in Iran to a corporate entity called Tarh Andishan and was hosted by Netafraz.com, an Iranian provider out of Isfahan. While another nation could set up a decoy operation that points to Iran, the list of targets support the theory of Iranian backing. The report also warns of Iran’s unique advantage in backing this kind of attack:

With minimal separation between private companies and the Iranian government, their modus operandi seems clear: blur the line between legitimate engineering companies and state-sponsored cyber hacking teams to establish a foothold in the world’s critical infrastructure.

The End Goal

While the Cylance report admits that the end goal of Operation Cleaver is not known at this time, the report goes on to state that Operation Cleaver appears to have big intentions to position themselves to impact critical infrastructure globally, relying on the choice of targets. The report also points to the future 2015 Iranian nuclear discussions as a potential motivating factor, suggesting that the attacks may be tied to negotiating power when discussing a pact with the nuclear superpowers of United States, Britain, France, Germany, Russia and China.

Vulnerabilities in Critical Infrastructure Organizations

According to the researchers at Cylance, many critical infrastructure organizations are unable to secure their complex environments from modern attacks because they are relying on “status quo” security measures for fear that if they implement changes they will find problems they have no idea how to prevent. In the report‘s conclusion, Cylance laid out their mission in releasing this report:

We hope that by exposing the Operation Cleaver team to the world, current global critical infrastructure victims can be notified, and prevent future victimization from suffering the consequences of “status quo” security. . . . If Operation Cleaver doesn’t get the world to wake up to what is happening in the silent world of cyber, then perhaps nothing will.

More on Cylance:

The founder of Cylance, Stuart McClure, is the former Global CTO of McAfee and the lead author of the international best-selling book Hacking Exposed. The Cylance research team lives by the mantra “Think Evil, Do Good,” a mantra displayed in hex string on the Operation Cleaver logo. Cylance states that what separates them from other security companies is their ability to “think like an attacker” and utilize innovative detection methods that move beyond the “status quo” of current security models, particularly through their unique algorithmic approach. (However, other companies have turned to similar algorithmic approaches, such as the Israel start-up ThetaRay mentioned in this earlier Crossroads RoundUp). Cylance’s algorithmic approach to threat detection is based on mathematics, machine learning, and data science.

Professor William Snyder

Ryan D. White

Ryan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.

Christopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.

Anna Maria Castillo

is 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review.

Jennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.)